A while back I wrote about the WiFi Pineapple, a wonderful little device that can be used to “audit”1 wireless networks. The device makes it surprisingly easy to act as Man in the Middle (MitM), a technique used by hackers to effectively steal all your passwords and credit card numbers. The cheapest version of the WiFi Pineapple, the Nano, costs just shy of $100. Not a lot of money, but it’s a bit too much for me to spend on a device that can’t be used for anything cool without breaking more laws than I can count. But now there’s a new toy available that does many of the same things as the WiFi Pineapple: PoisonTap.
Price tag? Around $5.
PoisonTap also plays the role as the MitM, but there’s a big difference. While the WiFi Pineapple hijacks wireless networks, PoisonTap needs physical access to the computer you wish to audit. Because of that, it’s easy to dismiss PoisonTap as pretty useless. It’s hard to get physical access to an unattended computer, isn’t it? No, it’s not. If you’re working in an office environment, simply take a look around you at lunch time. And if you have access to a conference center or a hotel, take a look inside. I bet you can find an unattended computer within minutes.
Another reason you might dismiss PoisonTap as worthless, is the size of the delivery vehicle. The version of PoisonTap demoed by its creator, Samy Kamkar, runs on a Raspberry Pi Zero. While the Zero is small, it’s not exactly invisible, and not hard to spot. But the PosionTap software doesn’t have to run on a Raspberry Pi, it’s possible to install it on even smaller computers. Both LANTurtle or USB Armory are viable options. Not too easy to spot one of those connected to the back of the workstation tucked under your desk, is it?
On top of that, the PosionTap doesn’t have to be connected for long. Just leave it plugged in for a minute or two, then pull it out, and walk away. The target computer is now infected, and a persistent backdoor has been installed.
PoisonTap: im in ur base
Let’s say you’ve found your target computer, but the user had the sense to lock it before he left. Now you’re all out of luck, right? No. It doesn’t matter if the target computer is locked. Everything PoisonTap needs access to is available even if the computer is locked. When connected, the PoisonTap will emulate an Ethernet device, and the operating system will start to send requests to the internet through that device. And there you have the MitM.
PosionTap will now start to steal passwords, usernames, e-mail addresses, credit card numbers, and other sensitive information that flows between your computer and the internet.
As with most MitM attacks, this one can be mitigated with server-side security. If the server is configured to use HTTPS exclusively, PoisonTap’s attacks won’t work. In my humble opinion, everyone who runs a website should use HTTPS, no matter what kind of content you’re serving. Simply make it part of your checklist when configuring a new site.
As an end-user, there are also actions you can take to prevent PoisonTap attacks. One option is to close your browser every time you live your computer. Impractical, but a minor annoyance compared to the alternatives. You can either disable the USB and Thunderbolt ports on your computer. Or cement them shut.
And that’s some massive quotation marks. ↩︎